Search squid archive

Re: WCCP transparent proxy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 12/10/11 22:19, nipun_mlist Assam wrote:

On Wed, Oct 12, 2011 at 11:05 AM, Amos Jeffries<squid3@xxxxxxxxxxxxx>  wrote:

On 12/10/11 17:33, nipun_mlist Assam wrote:


This may be relevant to this question.
While trying to use squid for transparent proxy (tproxy ) on linux
(kerne 2.6.39 with centos 6.0), I noticed the following

1. Client IP spoofing doesn't work (but for our work, this requirement
was a must).


In what way?


The root web server was seeing the IP of the squid box, not of the
client machine for all http requests. I.e. the web server will see
that the HTTP requests are coming from the squid box. Our requirement
is that, both the web servers and client machines should not be aware
of a squid proxy sitting in between and hence they should not see the
IP of squid box in HTTP related traffics.

squid.conf is as shown below (I am pasting only http_port related lines):

.
.
http_port  85 tproxy
http_port  86 ssl-bump cert=/extra/squid/etc/Centos6.0.pem tproxy
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
.
.


IPTABLES was configured as shown below (port 80 traffics are forwarded
to port 85 where squid "expects" HTTP traffic, and port 443 traffic
are forwarded to port 86 where "HTTPS" traffic are expected):

  iptables -t mangle -N DIVERT
  iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
  iptables -t mangle -A DIVERT -j MARK --set-mark 1
  iptables -t mangle -A DIVERT -j ACCEPT
  ip rule add fwmark 1 lookup 100
  ip route add local 0.0.0.0/0 dev lo table 100
  iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
--tproxy-mark 0x1/0x1 --on-port 85
  iptables -t mangle -A PREROUTING -p tcp --dport 443 -j TPROXY
--tproxy-mark 0x1/0x1 --on-port 86






2. Squid with tproxy doesn't work with HTTPS traffic.


In what way?

HTTP:
  http_port 1 tproxy ...

HTTPS:
  https_port 2 tproxy ...





We cannot use https_port here. Because, we are seeing the traffic from
squid to the root webserver goes as http traffic after that.
That is the bug then. Outgoing traffic needs to check the request->flags to identify tproxy or intercepted. Also checking request->protocol for PROTO_HTTPS requests to re-encrypt. 

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.15
  Beta testers wanted for 3.2.0.12
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux